jvoss@altsci.com
March 6, 2008
It's a pretty simple virus, so the lessons learned from analysis of this virus should carry over to more than just this virus. I tried to write it generically enough to fit any case, so when I analyze it I will compare it to other viruses and how things on the net work. I'll try to come from a neutral standpoint because the idea of demonizing or glorifying a virus are counterproductive to the task of learning what it is and why it is. I'll try to keep the philosophy in the next to last section clearly marked so people who wish can skip over it or skip to it if that's their prerogative.
Every virus needs to get onto a computer (host) somehow. Viruses of old days resided on floppies. These days they are much more often carried by computer networks, the internet being the largest. If you think of floppies and other medium as sort of sneakernet, then all viruses need a network. This method of transfer ends up running code on a system that is commonly unintended by the user. In the SSH Bruteforce Virus, I spread the virus using a dictionary password cracker that supports Secure Shell (SSH). This is very simple and uses an open source library for SSH (libssh-0.2). When my virus successfully logs into a remote system, it copies a tar archived version of itself to the victim. It extracts the archive and executes the payload script. The remote system now has an exact copy of the virus. This is the definition of a replication virus. At this point, the system is infected and can infect more systems.
Read more »DRM on MP3s
jvoss@altsci.com
Oct 20, 2009
I downloaded Incubus' new album and I noticed that if I had Java turned off (like any sane person should) it would direct me to a zip file download. The zip file only had 15 songs. I asked support about it and they were aloof, obviously they and their devs had never turned off Java after the first non-deluxe album. The Java downloader is unnecessary but there is an interesting property. The files are different from the ones in the zip file. At first I was certain that it was DRM. But it's pretty difficult to put DRM in one bit. That is what is happening here.
jvoss@ASLinWS01:~/src$ diff -u <(hexdump ~/sonygivememyfucking\ music/Incubus/Monuments\ And\ Melodies/05-Love\ Hurts.mp3) <(hexdump ~/music/NoBackup/Incubus_MonumentsAndMelodies/Incubus_05_LoveHurts.mp3)
--- /dev/fd/63 2009-10-20 10:11:14.315839749 -0700
+++ /dev/fd/62 2009-10-20 10:11:14.316840293 -0700
@@ -16,7 +16,7 @@
00000f0 2820 6562 6174 3620 202c 6544 2063 3731
0000100 3220 3030 2937 4c54 4e45 0000 0700 0040
0000110 3200 3733 3333 5433 4f50 0053 0000 0004
-0000120 0000 2f31 4132 4950 0043 3801 009b 0000
+0000120 0000 2f31 4131 4950 0043 3801 009b 0000
0000130 6d69 6761 2f65 706a 6765 0000 ff00 ffd8
0000140 00e0 4a10 4946 0046 0101 0101 012c 002c
0000150 ff00 00db 0043 090d 0a09 0a0a 0b0e 0e0b
The only thing I can think of is that they could have DRM'ed the zip file also and I am just seeing the session id incrementing. However, I think it is unlikely that they have DRM'ed the zip file. Does anyone have a copy of Incubus - Monuments and Melodies to test against?
Read more »
Nov 14, 2008
On Feb 24, 2008 I wrote specs and a simple parser for my own programming language. The first level of parsing returned a list of types. The second level (currently nearly finished) would sort the types into statements that could be executed line by line using an interpreter or that could be translated into assembly (see ASLang2). The language was designed to compile in automatic bounds checking and would not allow non-deterministic code to compile. This is not an outrageous goal, in fact most interpreted languages do the same. Funny examples of non-deterministic code being executable exist in Python, PHP, and Perl. To a developer, though a magic bullet would be nice. In fact, it would be nice if the compiler was able to print out a list of possible boundary breaks. But before I finished my language, I decided that it would be possible and easy to simply write the same compiler for C/C++. I would get a list of variables, find all pointers in the code, and count whether it's possible to overwrite anything.
Read more »
June 9, 2008
Doing a bit of preliminary analysis, I found out that I could cheaply portscan a single port on every machine on the internet. To what end? Since I wrote a research virus that exploits weak passwords on SSH, it makes sense to know what servers exist and how likely an SSH attack would succeed against the network as a whole. Though I don't plan to unleash this attack and I don't expect that my virus adds to the already widespread SSH bruteforce attacks currently underway by malicious entities, I would definitely like to research and release data on who is using SSH. Since portscanning is quite easy, I started my server on the task. Note that I'm not releasing a tarball at this time since the software to do this can be printed in the usage section.
Read more »